IP Sharing Detected

Solved
Shadius
Building a reputation

IP Sharing Detected

Hi all,

 

I've recently started receiving alerts of IP sharing after a power outage.  It goes on to say "NAT has been detected on 1 client in the...," etc.  I'm not sure what it means exactly.  Prior to the abrupt power outage, I've never received these alerts before. Can someone educate me, please?

 

Thanks in advance.

1 Accepted Solution
EJN
A model citizen

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education

View solution in original post

20 Replies 20
EJN
A model citizen

Check your DHCP server. It means more than one client/device is using the same IP address. Go to Clients view and sort by IP address (depending on how many clients you have).

 

Cycle the port or client and that should fix for now. If it happens again or frequently, then more troubleshooting is needed.

Esteban J Nunez
School and Church
K-12 Education
Shadius
Building a reputation

@EJN 

 

Thank you! I will try that.

Dunky
Head in the Cloud

There has got to be another cause to be generating literally hundreds of alerts across all sites.  Any ideas anyone?

mcgruff
Conversationalist

@Dunky

 

What hardware are you guys on? We're using MS250-24Ps and the firmware version is MS 14.32

 

Dunky
Head in the Cloud

@mcgruff 

 

MS210-24P

14.32

 

ospsms
Here to help

Same latest FW versions for our network Meraki switches. We are set to auto update switch FW. 

ospsms
Here to help

We are seeing this on two network subnets, started all of the sudden this week. I checked the two dhcp servers on each site’s subnet AD controllers. I don’t think I have multi site DHCP issues, I think its the Meraki’s latest switch FW update… we had to turn off this alert. Waiting on Meraki to acknowledge the firmware update bug

Dunky
Head in the Cloud

I have had alerts now from a subnet that has all static IPs on it so its deffo not related to duplicate addresses issued by DHCP

Dunky
Head in the Cloud

@ospsms have you opened a case with Meraki?

Would be good to get some confirmation of a firmware related issue as the number of alerts is just crazy.

Dunky
Head in the Cloud

I noticed a new alarm type in Network-wide>Alerts that appears to relate to this:

Dunky_0-1635515348625.png

Its appeared on my MX85 running 16.8.

If enabled, options are ASAP, daily or weekly.

Or you could disable - I cannot recall whether or not it was enable by default.

 

 

 

WirelesslyWired
Meraki Employee
Meraki Employee

This is a function that was added to MS14 on a few specific switches. It watches traffic for anomalous behavior that would indicate a device is NATing clients. The intention was to try and help people identify rogue access points that are NATing and catching clients that are using VMs that may be performing NAT to the host address. We are working on producing documentation but as of today, I would recommend daily alerts, as if you have misbehaving or oddly behaving clients, it can produce false positives due to the nature of fingerprinting.  

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
Dunky
Head in the Cloud

Ahh yes, its in the switch section of the alerts, I had forgotten that this particular network was running later switch firmware to my others.

 

WirelesslyWired
Meraki Employee
Meraki Employee

easy to do, the ui could use a little modernizing! 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
Shadius
Building a reputation

Yes, I did notice this function when I upgraded the firmware for the switches.

 

Thank you for the explanation and suggestion @WirelesslyWired 

 

It seems that cycling the port has stopped the alerts also. Thank you @EJN 

Dunky
Head in the Cloud

Is there any documentation available on this yet?

I've had over 600 alerts today across a dozen sites so it can't be related to duplicate IP addresses. My DHCP server is an MX at each site. 

Dunky
Head in the Cloud

I'm not convinced its related to duplicate IPs due to the volume and geographic spread I am seeing,.

Could it be where a client has both a Wifi and ether connection?

 

 

mcgruff
Conversationalist

Can you propose troubleshooting steps? We're seeing dozens of nat detection alerts on one site but not on others (Same switch, same firmware, same topology on all sites)

Lonestarr
Here to help

Has Meraki produced documentation for this yet?  We just turned on a number of alerts for our network and are tweaking them to see what works for us.  I read this thread earlier and we decided to get weekly alerts.  For this week we have 3 alerts at 3 different offices.  One is here at our HQ and I was able to find who it is and verify there was no issue.  But the other two are clear across the country, and one of them is on wifi so I can't cycle the port as suggested above.  How do we troubleshoot these alerts to determine whether it's a false positive or a legit concern, without physically going to the device and looking for vmware (which shouldn't be on it based on group policies anyway)?

CraigCummings
Getting noticed

"Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT. 

It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken."

 

So, it might be real, might be false positive...and we're supposed to go investigate them all?  I'm not sure this is very helpful. 

Dunky
Head in the Cloud

Agreed, I've turned it off.

About as useful as the warning of clients with bad WiFi connection - tells you AP's and how many clients (not sure I believe it as its always 5) but not which ones!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels